Is your business pushing you to have these high complexity exception rules or have you tried to build these yourself ?
As the exception rules grow over time, they will most definately cause an overhead if not an outage (if you continaually add more and more exeptions to each policy over time), push this back to the business so the owness is on them and not you for any outages.
The length of time it takes for a given policy to load is dictated by the number of rows generated for what is called the “execution matrix” which is what is loaded into memory as a representation of the policy/ruleset and is designed to optimize detection performance.
The execution matrix has a sort of Achilles heel when it comes to exception rules which is best summed up the the simple formula below…
num of rows = (number of matching rules) * (number of rules in excep1) * (num of rules in except2) * ... * (num of rules in exception n)
The number of “normal” rules adds very little overhead to the numer of rows in the matrix, but when it comes to exception rules the number of rows can grow exponentially if each of the exception rules has more than one statement.
A simple example would be a policy that had 10 normal rules and 5 exception rules each with 4 statements. The math would be 10 * 4 * 4 * 4 * 4 *4 = 10240 rows.
When they get too big, the filereader process may fail to load in an appropriate time adding a massive overhead onto mail throughput, essentionally marking each EMP node of the load balancer as down reducing the EMP footprint for available processing servers.
You may need to consolidate the number of exception senders so that multiple departments have access to the same mailbox/smtp sender address.